Understanding Virtualization Guidelines

Doing business in the cloud offers tremendous benefits, including significant cost savings as well as reducing your IT footprint. Cloud computing provides more flexibility when it comes to shifting your IT needs, and far less overhead. However, without a systematic approach to virtualization that takes PCI compliance services into account, companies may be opening themselves up to greater risks. This guide will cover the essentials of the virtualization guidelines as laid out by the PCI DSS.

Staying Secure
Just because you follow the PCI DSS 2.0 Virtualization Guidelines doesn't mean you're as secure as you could be. The recommendations for using virtualization and cloud computing for storing PCI data may offer a lot of information on the basics of protection, but that's no substitute for a comprehensive security strategy.

Encryption should be incorporated as an essential component of protecting data in the cloud. Encryption, when used correctly and often, proves isolation of data in multitenant environments, and also serves to enforce separation of duties for added security. Even when using PCI compliant web hosting, the cloud is really a form of shared ownership, and organizations need to recognize that they may have to prove safety and security measures to auditors under these conditions. Encryption is a key strategy for accomplishing these goals.
Understanding Responsibilities

The responsibility of ensuring PCI compliance extends beyond your company to the hypervisor itself. Both your business and your cloud provider must use PCI compliance services, and maintain documentation of what you believe is "in scope." This somewhat vague term extends to cover all cloud management solutions that provide automated services and platforms, especially when the hypervisor itself is considered in scope. To stay on the safe side, assume that any virtual services you use should be PCI compliant, including web hosting, and clearly define which security elements are whose responsibility.

In order to ensure PCI compliance, using the public cloud for sensitive data is unrealistic. The segmentation requirements and scope of applicable compliance guidelines make segmentation and isolated controls a must for safe and secure storage and transmission of cardholder data.

It's important to remember that compliance is about more than just meeting the PCI DSS guidelines. You also need to show your efforts to an auditor if needed, and they too must agree that your efforts constitute PCI compliance. The steps you take toward compliance need to be documented and traceable, and having a clear delineation of accountability will help.

Compliance in the Cloud
Achieving PCI DSS compliance while still taking advantage of everything that cloud services have to offer isn't easy. Recent research indicates that the vast majority of data breaches (90 percent) occurred in organizations that had not yet achieved compliance; those numbers are looking at standard compliance, without taking the cloud into consideration. With the inclusion of the PCI DSS Virtualization Guidelines, another layer of requirements are added for businesses to keep track of. Yet, another way to look at these guidelines is that companies are gaining another layer of security for their cardholders, which helps patrons feel confident about continuing as your customer base.

Although the virtualization requirements can look far-reaching from the outside, remember that the intent is to reduce risk for both cardholder and merchant alike. It seems clear that virtualization is the future of data storage as well as daily business, and achieving PCI compliance sooner rather than later can save you time and money while protecting your customers.